This affects the package @yaireo/tagify before 4.9.8. The package is used for rendering UI components inside the input or text fields, and an attacker can pass a malicious placeholder value to it to fire the XSS payload.
References
Link | Resource |
---|---|
https://bsg.tech/blog/cve-2022-25854-stored-xss-in-yaireo-tagify-npm-module/ | Exploit Patch Third Party Advisory |
https://github.com/yairEO/tagify/commit/198c0451fad188390390395ccfc84ab371def4c7 | Patch Third Party Advisory |
https://github.com/yairEO/tagify/issues/988 | Exploit Issue Tracking Third Party Advisory |
https://github.com/yairEO/tagify/releases/tag/v4.9.8 | Release Notes Third Party Advisory |
https://snyk.io/vuln/SNYK-JS-YAIREOTAGIFY-2404358 | Third Party Advisory |
Configurations
History
No history.
Information
Published : 2022-04-29 20:15
Updated : 2024-02-28 19:09
NVD link : CVE-2022-25854
Mitre link : CVE-2022-25854
CVE.ORG link : CVE-2022-25854
JSON object : View
Products Affected
tagify_project
- tagify
CWE
CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')